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(54) Preventing monitoring of data remotely sent from a metering accounting vault to digital 
printer 



(57) For preventing monitoring of postage indicia 
data which is sent from a postage metering vault to a 
remotely located digital printer (21) over a communica- 
tion link (C11) between the meter vault and the digital 
printer (21 ), the meter (11 ) is provided with an encryption 
engine (37) for encrypting postage indicia data utilizing 
an encryption key. The digital printer (21) includes a 
decryption engine (53) for decrypting postage data 
received from said meter (1 1) utilizing the same encryp- 
tion key and then prints a postage indicia pursuant to the 



FIG. 2 



decrypted postage indicia data. The postage meter (11) 
also includes a key manager (39) for generating a new 
encryption key pursuant to a token which is either ran- 
domly generated or generated pursuant to an algorithm 
by a similar encryption key manager located in the digital 
printer (21), which token is also used to generate the 
decryption key for the decryption engine (53) . As a result, 
the encryption keys are the same. 
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Description 

The present invention relates to a postage metering 
system using digital printing. 

A conventional postage meter is comprised of a vault s 
and impact printing mechanism housed in a secure 
housing having tamper detection. The printing mecha- 
nism is specifically designed to provide a physical barrier 
preventing unauthorized access to the printing mecha- 
nism except during the posting process. It is now known w 
to use postage meters employing digital printing tech- 
niques. In such systems, the vault and digital printer 
remain secure within the secure housing. 

It is also known to employ a postage meter in com- 
bination with an inserting system for the processing of a 15 
mail stream. It has been determined that it would be ben- 
eficial to configure a postage metering system which is 
configured to employ an inserter and digital printer in 
combination with a remotely located vault. Such a con- 
figuration, however, exposes the digital printer system to 20 
tampering, that is, the accounting and printer control 
apparatus are remotely and are electrically intercon- 
nected to a print head. Data exchanged between the two 
devices is subject to interception and possible tampering 
since the electrical interconnects are not physically 25 
secure. 

It is an object of the present invention to present a 
method of providing a secure data transfer between a 
vault and a remotely located digital printer. 

It is a further objective of the present invention to 30 
prevent a method of recording and later repaying the 
data representing the postage indicia image. 

The metering system includes a meter in bus com- 
munication with a digital printer for enabling the meter to 
be remotely located from the digital printer. The meter 35 
includes a vault which is comprised of a micro controller 
in bus communication with an application specific inte- 
grated circuit (ASIC) and a plurality of memory units 
secured in a tamper resistant housing. The ASIC 
includes a plurality of control modules, one of which is a 40 
printer controller module and another of which is a 
encryption module. The digital printer includes a decoder 
ASIC sealed to the print head of the digital printer which 
communicates to the printer controller module via a 
printer bus. Communication between the printer control- 45 
ler and the print head decoder interface is accomplished 
through a printer bus which communications are 
encrypted by any suitable known technique, for example, 
a data encryption standard DES algorithm. By encrypt- 
ing the output of the printer controller module along the so 
printer bus any unauthorized probing of the output of the 
printer controller to acquire and store the signals used 
to produce a valid postage print are prevented. If the 
electrical signals are probed, the data can not easily be 
reconstructed into an indicia image by virtue of the ss 
encryption. The print head decoder consists of a custom 
integrated circuit located in proximity to the printing ele- 
ments. It receives the output from the printer controller, 



decrypts the data, and reformats the data as necessary 
for application to the printing elements. 

The printer controller and print head controller con- 
tain encryption key manager functional units. The 
encryption key manager is used to periodically change 
the encryption key used to send print data to the print 
head. The actual keys are not sent over the interface, 
rather, a token representing a specific key is passed. The 
key can be updated every time the printer controller 
clears the print head decoder, after a particular number 
of print cycles, or after a particular number of state 
machine clock cycles. By increasing the number of 
encryption keys, the probability that the system will be 
compromised diminishes. 

Fig. 1 is a diagrammatic representation of a postage 
meter in combination with a remote printing mechanism 
in accordance with the present invention. 

Fig. 2 is a diagrammatic representation of the post- 
age meter micro control and printer micro control sys - 
tems in accordance with the present invention. 

Referring to Fig. 1 , the postage meter control system 
1 1 is comprised of a micro controller 13 in bus commu- 
nication with a memory unit 1 5 and ASIC 1 7. The printing 
mechanism 21 is generally comprised of a print control- 
ler 23 which controls the operation of a plurality of print 
elements 27. Data is communicated between the meter 
control system 1 1 and the print mechanism over a bus 
C1 1 . Generally, print data is first encrypted by an encryp- 
tion module 1 8 and presented to the printer controller 23 
through a printer controller module 19 of the ASIC 17. 
The data received by the print controller 23 is decrypted 
by a decryption module 25 in the print mechanism 21 
after which the print controller 23 drives the print ele- 
ments 27 in accordance with the received data. The data 
exchanged between the two devices is subject to inter- 
ception and possible tampering since the electrical inter- 
connects are not physically secure. Utilizing encryption 
to electrically secure the interface between the printer 
controller and print head reduces the ability of an exter- 
nal intrusion of data to the print mechanism 21 to drive 
unaccounted for posting by the printing mechanism 21 . 
If the electrical signals are probed, the data can not eas- 
ily be reconstructed into an indicia image by virtue of the 
encryption. The print head mechanism consists of a cus- 
tom integrated circuit ASIC, more particularly described 
subsequently, located in proximity to the printing ele- 
ments to allow physical security such as by epoxy sealing 
of the ASIC to the print head substrate utilizing any suit- 
able known process. 

Referring to Fig. 2, the meter control system 1 1 is 
secured within a secure housing 10. More specifically, a 
micro controller 13 electrically communicates with an 
address bus A1 1 , a data bus D1 1 , a read control line RD, 
a write control line WR, a data request control line DR 
and a data acknowledge control line DA. The memory 
unit 15 is also in electrical communication with the bus 
A1 1 and D1 1 , and control lines RD and WR. An address 
decoder module 30 electrically communicates with the 
address bus A1 1 . The output from the address decoder 
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30 is directed to a data controller 33, timing controller 35, 
encryption engine 37, encryption key manager 39 and 
shift register 41 . The output of the address controller 30 
operates in a conventional manner to enable and disable 
the data controller 33, timing controller 35, encryption 5 
engine 37, encryption key manager 39 and shift register 
41 in response to a respective address generated by the 
microcontroller 13. 

The data controller 33 electrically communicates 
with the address bus and data bus A1 1 and D1 1 , respec- 10 
tively, and also with the read and write control lines RD 
and WR, respectively, in addition, the data controller 33 
electrically communicates with the data request DR and 
data acknowledge DA control lines. The output from the 
data controller 33 is directed to an encryption engine 37 is 
where the output data from the data controller 33 is 
encrypted using any one of several known encryption 
techniques, for example, the DES encryption algorithm. 
The output from the encryption engine 37 is directed to 
the shift register 41 . The timing controller 35 electrically 20 
communicates with the data controller 33, the encryption 
engine 37 and shift register 41 for providing synchro- 
nized timing signals to the data controller 33, the encryp- 
tion engine 37 and shift register 41 . The timing controller 
35 receives an input clock signal from a state machine 25 
clock 43. In the most preferred configuration, an encryp- 
tion key manager 39 is in electrical communication with 
the encryption engine 37 for the purposes of providing 
added system security in a manner subsequently 
described. 30 

The printer mechanism 21 control ASIC includes a 
shift register 51 , decryption engine 53 and a print head 
format converter 55. The output from the shift register 51 
is directed to the input of the decryption engine 53. The 
output of the decryption engine 53 is directed to the print 35 
head format converter 55. The timing controller 56 elec- 
trically communicates with the shift register 51 , decryp- 
tion engine 53, a print head format converter 55 for 
providing synchronized timing signals to the data con- 
troller 33, the encryption engine 37 and shift register 41 . 40 
The timing controller 56 receives a input clock signal from 
a state machine clock 59. in the most preferred configu- 
ration, a encryption key manager 61 is in electrical com- 
munication with the encryption engine 37 for the 
purposes of providing added system security and com- 45 
municating with the encryption key manager 39 of the 
meter 10. The printer control ASIC electronically com- 
municates with the print elements 63. 

In operation, the meter which contains the account- 
ing vault is remotely located from the printer 21. Upon so 
initiation of a print cycle, the micro controller 13 gener- 
ates a command to the data controller 33 to begin trans- 
ferring the image to the encryption engine 37. For each 
location in the memory unit 1 5 which represents the indi- 
cia image, the data controller 33 asserts the Data ss 
Request DR signal. This causes the micro controller 13 
to relinquish control of the Address Bus A1 1 , Data Bus 
D1 1 , Read Signal RD, and Write Signal WR to the data 
controller 33. The micro controller indicates it has relin- 



quished these resources by asserting the Data Acknowl- 
edge Signal DA. The data controller 33 then generals a 
read bus cycle by properly asserting A1 1 , RD, and WR. 
In response, the address decoder 30 generates the ena- 
ble signals for the memory unit 15, thus causing the 
memory unit 1 5 to output the image data on the Data 
Bus D1 1 . Thedata is input to the data controller 33 which 
reformats the image data into 64-bit data messages and 
passes the 64-bit data messages to the encryption 
engine 37. The encryption engine 37 then encrypts the 
data using any suitable encryption algorithm and the 
encryption key supplied by the encryption key manager 
39. The encrypted data is then passed to the shift regis- 
ter 41 for serial communication of the encrypted data to 
the printer 21. The operation of the data controller 33, 
encryption engine 37 and shift register 41 is synchro- 
nized by the timing controller 35 which receives a clock- 
ing signal from the state machine clock 43. 

Over a communication bus C1 1 . the encrypted serial 
data output from the shift register 41 is directed to the 
shift register 51 of the printer 21 . Also carried over the 
bus C11 are the appropriate clock signals for clocking 
the data into the shift register 51 and a print command 
(Pri nt Cmmd) . When the whole of the encrypted data has 
been transmitted, a clear signal is generated over the bus 
C1 1 . The shift registers 51 of the printer 21 reformats the 
encrypted data back into 64-bit parallel form and trans- 
fers the 64-bit data messages to the decryption engine 
53 which decrypts the data using the same key used to 
encrypt the data which is provided by the encryption key 
manager 61 . The decrypted data is then received by the 
print format converter 55 for delivery to the print head 
driver which enables the appropriate printing elements. 
It should now be appreciated that the process described 
is particularly suitable for any form of digital printer, such 
as, ink jet or thermal. Once the printing process has been 
completed a ready signal is sent to the meter over the 
busC11. 

The function of the encryption key manager in both 
printer controller and print head controller is to periodi- 
cally change the encryption key used to send print data 
to the print head. The actual keys are not sent over the 
interface, rather, a token representing a specific key is 
passed. This token may be the product of an algorithm 
which represents any desired compilation of the data 
passed between the meter and the printer over some 
predetermined period. The token is then sent to the 
encryption key manager 39 which generates an identical 
key based on the token. For example, the key can be 
updated every time the printer controller clears the print 
head decoder, after a particular number of print cycles, 
or after a particular number of state machine clock 
cycles. By increasing the number of encryption keys, the 
probability that the system will be compromised dimin- 
ishes. Preferably, the selection of the encryption key is a 
function of the print head decoder. This is done because 
if one key is discovered, the print head decoder could 
still be made to print by instructing the decoder to use 
only the known (compromised) key The print head 
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decoder can be made to randomly select a key and force 3. 
the printer controller to comply. Once the data is 
decrypted, rt is vulnerable to monitoring or tampering. By 
sealing the decoder to the print head and using any suit- 
able known tamper protection techniques, the data can 5 
be protected. Such techniques include incorporating the 
decoder on the same silicon substrate as the printing ele- 
ments, utilizing chip-on-board and encapsulation tech- 
niques to make the signals inaccessible, constructing a 
hybrid circuit in which the decoder and printing elements w 
are in the same package, utilizing the inner routing layers 
of a multi-layer circuit board to isolate the critical signals 
from unwanted monitoring, and fiber optic or opto-isola- 
tion means. 

The provided description illustrates the preferred 75 
embodiment of the present invention and should not be 4. 
viewed as limiting. The full scope of the invention is 
defined by the following claims. 

Claims 20 

1 . A method for preventing monitoring of postage indi- 
cia data sent from a postage metering vault to a 
remotely located digital printer over a communica- 
tion link between the meter vault and the digital 25 
printer comprising the steps of: 

providing said meter with means for encrypt- 
ing data utilizing a encryption key; 

providing said digital printer with means for 
decrypting postage data received from said meter 30 
utilizing said encryption key; 5. 

encrypting said postage indicia data; 

transmitting said encrypted postage indicia 
data to said digital printer; 

decrypting of said postage indicia data by 35 
said decrypting means; and 

printing of a postage indicia by said digital 
printer pursuant to said decrypted postage incficia 
data. 

40 

2. A method for preventing monitoring of postage indi- 
cia data sent from a postage metering vault to a 
remotely located digital printer over a communica- 
tion link between the meter vault and the digital 
printer as claimed in claim 1 , further comprising the 45 6. 
steps of: 

providing said postage metering vault with a 
encryption key manager for generating and encryp- 
tion key pursuant to a token; 

providing said digital printer with means of so 
generating said token; 

communicating said token to said postage 
meter vault; and 

generating a encryption key by said encryp- 
tion key manager in said postage meter vault pursu- 55 
ant to said token such that said encryption key of 
both of said encryption key managers are identical. 



A postage metering system having a postage meter 
remote from a digital printer use to print said postage 
indicia, comprising: 

said postage meter having means for gener- 
ating data representative of a postage indicia and 
having encryption means for encrypting said data 
representative of a postage indicia pursuant to a 
encryption key; 

said digital printer having means for decrypt- 
ing said data representative of a postage indicia and 
printing a postage indicia pursuant to said decrypted 
data; and 

communication means for communication of 
said encrypted postage indicia to said digital printer. 

A postage metering system having a postage meter 
remote from a digital printer use to print said postage 
indicia as claimed in claim 3, further comprising: 

said postage meter having a encryption key 
manager means for generating an encryption key in 
response to a token; 

said digital printer having a encryption key 
manager means for generating a new encryption 
key, when desired, as a function of said decrypted 
data, and generating said token as a function of said 
decrypted data: and 

communication means for electronically 
communicating said token to said postage meter 
encryption key manager. 

A postage metering system having a postage meter 
remote from a digital printer use to print said postage 
indicia as claimed in claim 3, further comprising: 

said postage meter having a encryption key 
manager means for generating an encryption key in 
response to a token; 

said digital printer having a encryption key 
manager means for generating a new encryption 
key, when desired, as a function of a randomly gen- 
erated token; and 

communication means for electronically 
communicating said token to said postage meter 
encryption key manager. 

A method for preventing monitoring of postage indi- 
cia data sent from a postage metering vault to a 
remotely located digital printer over a communica- 
tion link between the meter vault and the digital 
printer, comprising the steps of: 

encrypting postage indicia data at said meter 
utilizing an encryption key; 

transmitting said encrypted postage indicia 
data over said communication link to said digital 
printer; 

decrypting said postage indicia data at said 
digital printer utilizing said encryption key; and 

printing postage indicia using said digital 
printer according to said decrypted postage indicia 
data. 
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7. A method according to claim 6, further comprising 
the steps of: 

generating in said digital printer a token rep- 
resenting a specific encryption key; 

communicating said token to said postage 5 
meter; and 

generating an encryption key in said postage 
meter pursuant to said token such that said encryp- 
tion keys of said digital printer and said postage 
meter are identical. 10 

8. A postage metering system comprising a digital 
printer (21 ) used to print said postage indicia, a post- 
age meter (11) remote from said printer (21), and 
communication means (C1 1) for communication of is 
encrypted postage indicia to said digital printer; 

said postage meter (11) having means (33) 
for generating data representative of a postage indi- 
cia and having encryption means (37) for encrypting 
said data representative of a postage indicia pursu- 20 
ant to an encryption key; and 

said digital printer (21 ) having means (53, 55) 
tor decrypting said encrypted data representative of 
a postage indicia and printing a postage indicia pur- 
suant to said decrypted data 25 

9. A postage metering system according to claim 8, 
wherein: 

said digital printer (21) has an encryption key 
manager means (61) for generating a new encryp- 30 
tion key, when desired, as a function of printer oper- 
ation, and for generating a token, representing said 
new encryption key; and 

said postage meter (10) has an encryption 
key manager means (39) for generating an identical 35 
encryption key in response to receipt of said token 
communicated electronically, over said communica- 
tion means (C11), from said printer encryption key 
manager (61). 

40 

10. A postage metering system according to claim 8, 
wherein: 

said digital printer (21) has an encryption key 
manager means (61) for generating a new encryp- 
tion key, when desired, as a randomly selected key 45 
and for generating a token representing said new 
encryption key; and 

said postage meter (10) has an encryption 
key manager means (39) for generating an identical 
encryption key in response to receipt of said token so 
communicated electronically, over said communica- 
tion means (C1 1), from said printer encryption key 
manager (61). 
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(54) Preventing monitoring of data remotely sent from a metering accounting vault to digital 
printer 



(57) For preventing monitoring of postage indicia 
data which is sent from a postage metering vault to a 
remotely located digital printer (21) over a communica- 
tion link (C11) between the meter vault and the digital 
printer (21), the meter (11) is provided with an encryp- 
tion engine (37) for encrypting postage indicia data uti- 
lizing an encryption key. The digital printer (21) includes 
a decryption engine (53) for decrypting postage data 
received from said meter (11) utilizing the same encryp- 
tion key and then prints a postage indicia pursuant to 



the decrypted postage indicia data. The postage meter 
(11) also includes a key manager (39) for generating a 
new encryption key pursuant to a token which is either 
randomly generated or generated pursuant to an algo- 
rithm by a similar encryption key manager located in the 
digital printer (21), which token is also used to generate 
the decryption key for the decryption engine (53). As a 
result, the encryption keys are the same. 
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